Solved

IIS 6.0 Win2003 Server asp login & security

Posted on 2004-09-20
6
307 Views
Last Modified: 2009-07-29
I'm looking for a full working example, or even a purchased product, that will -

Have a login.asp page containing 2 text boxes (username & password). User submits page to authenticatepage.asp, where a database is searched to determine if it is a valid username & pwd. Depending on the username, a specific asp page will be opened. I need to use session objects (I think) since I cannot have the user bookmark the page and return to it without going through the logIn page.

Some of the pages for the user are asp and others are html.

Thanks

0
Comment
Question by:Malek103197
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 31

Expert Comment

by:alorentz
ID: 12101639
What do you want?  This site is to help with problems....not write code for you.
0
 
LVL 2

Expert Comment

by:Coolhand2120
ID: 12102201
Make an HTML page with the two text inputs (username & password) and a submit button.  Then in the form tag in the action property (<form action="****" where *** is your submit page).  This will send the user to this page when they click submit.  You'll need to connect to a database and because you don't specify what kind of database you wish to use, even if EE did write code for you....  Then you can use response.redirect to point the user to the 'logged on' page or the 'not logged on' page.

ANYHOW if you do know what your database is post it and I'll help with HOW to do it.  I'm totaly willing to spend an absurd amout of time teaching you how to create this.

I'd suggest using cookies, session objects are slow and unwieldy.
Don't forget !  Your in the ASP section of EE so we are assuming your using ASP and a server that can use ASP.
If you have no clue what I'm talking about, hire someone that does, you shouldn't be doing this.
Even if you purchse a program you'll still need to pruchase a database (SQL, Access etc.).

-Coolhand2120
0
 

Author Comment

by:Malek103197
ID: 12103111
Ok, I'm trying to make sense of this script...

The way interpret it, is that when a page is opened and there is not a session UID, the the user will be directed to the logIn page, but I'm not clear on what the author refers to HTTP_REFERRER.
Need a bit of help understanding this script.

Thanks

Every Page
The script is implemented by including the following code above the <html> tag of every page;

<%
Dim HTTP_REFERRER
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
If Not(IsObject(Session("UID"))) Then
If Session("UID") = "" Then
HTTP_REFERRER = Request.ServerVariables("URL")
If Request.QueryString <> "" Then HTTP_REFERRER = HTTP_REFERRER & "?" & Request.QueryString
Response.Redirect "login.asp?HTTP_REFERRER=" & Server.URLEncode(HTTP_REFERRER)
End If
End If
%>



Login.asp -
Script
If the script on the requested page determines that the UID session variable has not been set, the users is redirected to the login page. The login page contains the following code above the <html> tag;

<%
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
Dim HTTP_REFERRER, UserObject
Status = "Please log in."
HTTP_REFERRER = Request("HTTP_REFERRER")
If Request.Form("username") <> "" Then
If Login Then
Session("UID") = UserObject.Item("username")
'Set Session("UID") = UserObject
If HTTP_REFERRER  = "" Then
Response.Redirect "default.htm"
Else
Response.Redirect HTTP_REFERRER
End If
Else
Status = "Invalid Login... Please Try Again."
End If
End If

Function Login
Dim conn, rs, sql, dbFIle
dbFile = "login.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath(dbFile) & ";"
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT * FROM users WHERE username = '" &
 Request.Form("Username") & "' AND password = '" & Request.Form("Password")& "'"
rs.Open sql, conn, 3, 3
If Not rs.EOF Then
Set UserObject = CreateObject("Scripting.Dictionary")
For each field in rs.Fields
UserObject.Add field.name, field.value
Next
Login = True
Else
Login = False
End If
rs.Close
set rs = nothing
conn.Close
set conn = nothing
End Function
%>
<html>
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 2

Accepted Solution

by:
Coolhand2120 earned 250 total points
ID: 12106800
Wow... well I can tell you that this is an odd script.  HTTP_REFERER is very very unreliable, %50 of the time it dosen't work.  It's supposed to return the URL of the page that sent the user to the current page.  If you want to put the user back to the page they just came from I'd use client side javascript location.history.  But I don't think you're intrested in this.

THIS:

<%
Dim HTTP_REFERRER
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
If Not(IsObject(Session("UID"))) Then
If Session("UID") = "" Then
HTTP_REFERRER = Request.ServerVariables("URL")
If Request.QueryString <> "" Then HTTP_REFERRER = HTTP_REFERRER & "?" & Request.QueryString
Response.Redirect "login.asp?HTTP_REFERRER=" & Server.URLEncode(HTTP_REFERRER)
End If
End If
%>


would be easier if it said:

<%

if request.cookies("userID") <> "" then
  userID = request.cookies("userID")
else
  response.redirect "logon.asp"
end if

%>



This:

<%
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Cache-Control", "no-cache"
Dim HTTP_REFERRER, UserObject
Status = "Please log in."
HTTP_REFERRER = Request("HTTP_REFERRER")
If Request.Form("username") <> "" Then
If Login Then
Session("UID") = UserObject.Item("username")
'Set Session("UID") = UserObject
If HTTP_REFERRER  = "" Then
Response.Redirect "default.htm"
Else
Response.Redirect HTTP_REFERRER
End If
Else
Status = "Invalid Login... Please Try Again."
End If
End If

Function Login
Dim conn, rs, sql, dbFIle
dbFile = "login.mdb"
Set conn = Server.CreateObject("ADODB.Connection")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath(dbFile) & ";"
Set rs = Server.CreateObject("ADODB.Recordset")
sql = "SELECT * FROM users WHERE username = '" &
 Request.Form("Username") & "' AND password = '" & Request.Form("Password")& "'"
rs.Open sql, conn, 3, 3
If Not rs.EOF Then
Set UserObject = CreateObject("Scripting.Dictionary")
For each field in rs.Fields
UserObject.Add field.name, field.value
Next
Login = True
Else
Login = False
End If
rs.Close
set rs = nothing
conn.Close
set conn = nothing
End Function
%>


Would be easier if it said:
Your logon.asp page should have this script at the top

<%
if request.form("Username") <> "" then

'This block below will connect to your database to look up stuff
 Set rs = Server.CreateObject("ADODB.Recordset")
 rs.ActiveConnection = "driver={Microsoft Access Driver (*.mdb)};dbq=" & Server.MapPath("login.mdb") & ";"
 rs.Source = "Select * from users where username = '" & request.form("username") & "' and password = '" & request.form("password") & "'"
 rs.CursorType = 0
 rs.CursorLocation = 2
 rs.LockType = 1
 rs.Open()

  'If the recordset was empty (no matching username / password)
 if rs.eof or rs.bof then
   response.redirect "logon.asp?badpassword=1"    'This is where it would send users that type bad u/p
 else
   response.cookies("userID") = request.form("username")   'this sets the username into a cookie called "userID" which you can check later and see if its empty or not
   response.redirect "default.asp"  'Redirect to wherever you want to put the user after they logon correctly
 end if

'Clean up DB connection objects

  rs.close
  set rs = nothing

end if
%>

logon.asp should have this after the asp part:

<form method="post" action="logon.asp">

<input name="username" type="text">
<input name="password" type="password">
<input type="submit">

</form>

Sorry I pretty much rewrote your script there, if you still have probelms just post again!

-Coolhand2120
0
 

Author Comment

by:Malek103197
ID: 12112242
Thanks Coolhand2120, that is a lot simpler and very understandable.
0
 
LVL 2

Expert Comment

by:Coolhand2120
ID: 12112668
NP.  Let me know if it works out for you.

-Coolhand2120
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question